8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Misc » Here

Comments for DBMS_ASSERT - Sanitize User Input to Help Prevent SQL Injection


lesio said...

Great article

tws said...

Excellent as usual, thanks Tim

Rich Soule said...

Tim,
This:
Quoted names must be enclosed by double quotes and may contain any characters, including quotes provided they are represented by two quotes in a row ("").
Could be this:
Quoted names must be enclosed by double-quotes and may contain any characters. You can even include double-quotes provided they are represented by two double-quotes in a row ("").

Rich Soule said...

Tim,

This:

The function ignores leading and trailing white spaces are ignored

Could be this:

The function ignores any leading and trailing white space

Tim... said...

Hi.

First sentence: I like it the way it is.
Second sentence: Clearly a typo. Corrected.

Cheers

Tim...

Rich Soule said...

including quotes provided they are represented by two quotes in a row ("").

how about

including quotes provided they are represented by two quotes in a row ("") or ('').

When I first read it, it seemed wrong... then I read it a few more times and realized it was correct-ish.

Tim... said...

Hi.

I've altered, but I really think this is over the top. If someone doesn't understand basic string handling in PL/SQL, I really don't think they are going to get their head around SQL injection. The original typo (bad copy/paste) needed correcting and I did, but this is just too much.

Cheers

Tim...

Anonymous said...

Very helpful.

Thanks Tim

DO NOT ask technical questions here! They will be deleted!

These comments should relate to the contents of a specific article. Constructive criticism is good. Advertising and offensive comments are bad and will be deleted!

If you post personal information (name, email address etc.) you are agreeing to them being stored and displayed. Feel free to remain anonymous.